Personal Security Incidents Can Put Everyone at Risk

When employees use their own devices for work, there’s no such thing as a personal security breach

It’s no exaggeration to say that mobile smart devices have changed the way people work. With smartphone in hand, employees now expect to be able to check email from their kid’s baseball game, finalize financial transactions on the fly, and log into cloud-based services at the gym—not to mention play Angry Birds whenever they want. The downside to this round-the-clock connectivity is the security risk it can introduce to your network and, because devices are personally owned, the difficulty of locking them down. These days, there’s no such thing as a personal security breach. A security incident on a personal device can put your entire network at risk.

This isn’t as far fetched as it might sound. According to the Cisco 2011 Annual Security Report, three out of four employees worldwide have multiple devices, like a laptop and a smartphone, and one in three young professionals use at least three different devices for work. The research also shows that the most popular mobile platforms—Apple iPhones and iPads and Google Android devices—have become targets for malware. Malicious software can be introduced in a variety of ways, but many small businesses have found themselves infected by malware inadvertently passed on from an employee’s personal device.

Blurring the line between personal and professional

As people continue to blur the line between their personal and professional activities, you can expect to see more personal security breaches affecting the local business network. For example, many small companies maintain a Facebook page for marketing purposes, and many employees who administer these fan pages also have their own Facebook profile pages. While checking his or her personal Facebook pages, an employee may unknowingly download and install an applet that runs in the background to capture data in the web browser window. If they then switch over to the company’s Facebook page, that malware can capture data from that page, too. Therefore, to help mitigate this exposure, people should shut down their browsers between sessions to help prevent this from happening. (See this post for more information on how to safely and securely use social media for your small business.)

Worse, some malware can continue running in the background even when the browser’s been exited after use. If the malware has been installed on a computer, perhaps a company laptop or desktop, it can then possibly capture sensitive business data stored on or accessed through that device. The same thing can happen on personal smartphones that are used to access web-based applications, such as a customer relationship management (CRM) client. That personal security breach just became a problem for your entire network.

Of course, your business can be impacted by a personal security breach in other less direct ways. Consider the employee who just discovered she was the victim of identity theft. She’s going to be worried and she’s going to spend a lot of time, emotional effort, and money to restore her identity, making phone calls to her bank, dealing with debt collectors, and more. As far as your business is concerned, her productivity is going to drop significantly while she’s dealing with this time- and attention-consuming problem.

Although it’s not your direct responsibility to protect the individual privacy of your employees, especially on their personal devices, doing so benefits your company. It not only safeguards your local network, it also ensures employees’ ongoing productivity.

All for one and one for all

The first step in helping employees protect themselves from security incidents is through education. Make sure they’re aware that security is their responsibility, too, and that security threats pose a real danger to them personally. It’s important to educate everyone on the basics such as learning how to spot dangerous email and potentially malicious websites. Second, your acceptable use policy must include information about how personal devices can be used in the workplace and what happens in the event of a security incident either for the company or themselves. And third, find out if your security solution can also help protect personal smartphones and tablets as well as your company’s computers. For example, a security appliance like the Cisco SA500 Series will monitor for web threats as employees browse the Internet from their own devices just as it does from company computers, and can block any inadvertent attempts to download malware from a known malicious site. Of course, this only works if employees are accessing the Internet over the local network from behind your firewall.

Finally, encourage employees to install security software on their smartphones and tablets that will protect their personal data. Even though you can’t require employees to install certain apps on their own devices, you can make it a condition of using those devices to access your company’s network. Consider apps like TaintDroidand Lookout Mobile Security, which can show users which mobile apps are accessing their location and other personal, sensitive data.

In this age of BYOD, it pays to take a holistic attitude towards security so everyone is looking out for everyone else. Remember, if someone you have a relationship with experiences a security breach, chances are good it will trickle down to you. Even if a virus, malware, or other security threat starts out on just one smartphone, it can quickly proliferate throughout your network.

Have you taken steps to help your employees protect their personal devices from security breaches?

Some of the individuals posting to this site, including the moderators, work for Cisco Systems. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release Cisco from any liability related to your use of the Website. You also grant to Cisco a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.